Electronic communication system and method of detecting a relay attack thereon

ABSTRACT

In the case of an electronic communication system ( 100 ) having; a) at least one base station ( 10 ) having at least one antenna unit ( 16: 16   a,    16   b ), in particular in coil form, which base station ( 10 ) is arranged in particular on or in an object to be secured against unauthorized use and/or against unauthorized access, such as on or in, say, a means of transport or on or in an access system, and, b) at least one transponder station ( 40 ), in particular in data-carrier form, having at least one antenna unit ( 44: 44   a,    44   b ), in particular in coil form, which transponder station ( 40 ), c) may in particular be carried with him by an authorized user and/or, d) is designed to exchange data signals ( 22, 24 ) with the base station ( 10 ), in which case, by means of the data signals ( 22, 24 ), e) the authorization for use and/or access can be determined and/or, f) the base station ( 10 ) can be controlled accordingly, and in the case of a method of detecting and/or guarding against at least one, in particular external, attack, and preferably at least one relay attack, on an electronic communication system ( 100 ) of this kind, to enable the electronic communication system ( 100 ) and the method to be further developed in such a way that the attack is at least made substantially more difficult and if possible is fully guarded against and prevented, it is proposed that, g) there be arranged in the base station ( 10 ) at least one first delay element ( 17 ) for setting a defined, and in particular substantially constant, signal transit time (t 1 ) within the base station ( 10 ) and/or, h) there be arranged in the transponder station ( 40 ) at least one second delay element ( 47 ) for setting a defined, and in particular substantially constant, signal transit time (t 2 ) within the transponder station ( 40 ).

The present invention relates in general to the technical field ofsecurity and/or access systems, and in particular to that of so-calledP[assive K[eyless]E[ntry] systems, such as are used, for example, in thearea of means of transport and in this case above all in the area ofaccess systems for motor vehicles.

Specifically, the present invention relates to an electroniccommunication system as detailed in the preamble to the main claim, andto a method of detecting and/or guarding against at least one attack,and particularly an external attack and preferably at least one relayattack, on at least one electronic communication system as detailed inthe preamble to the main claim.

To produce electronic communication systems, and particularly P[assiveK[eyless]E[ntry] systems, of the kind specified above that have amongstother things a conventional passive transponder system, use isconventionally made of various configurations. One possibleconfiguration is shown in FIGS. 1A and 1B of the drawings, the exampleused being that of a P[assive K[eyless]E[ntry] system for a motorvehicle:

Between a so-called base station 10, that is fitted with an antenna unit16 in the form of a coil, and a transponder station 40, a communicationsequence in the form of a data exchange takes place:

In detail there are, as signal-transmission links between the basestation 10 and the transponder station 40, a so-called up-link frame 22that is formed, for example, by at least one inductively coupledL[ow]F[requency] channel and over which signals are transmitted from thebase station 10 to the transponder station 40, and a so-called down-linkframe 24 that is formed, for example, by at least oneU[ltra]H[igh]F[requency] channel and over which signals are transmittedfrom the transponder station 40 to the base station 10. As analternative to this, both the up-link frame 22 and the down-link frame24 may each be formed by at least one L[ow]F[requency] channel or, as analternative to this in turn, both the up-link frame 22 and the down-linkframe 24 may each be formed by at least one U[ltra]H[igh]F[requency]channel.

After, for example, a door handle of the motor vehicle or a pushbuttonon a door of the vehicle has been operated, the base station 10, whichis spatially and functionally associated with the motor vehicle, beginsto generate a signal that is referred to as a “challenge” and that istransmitted to the transponder station 40 via the up-link frame 22. Acircuit arrangement 42 in the transponder station 40, which ispreferably equipped with at least one microprocessor, then calculatesfrom the challenge, using a cryptographic algorithm and a secret key, asignal sequence that is referred to as a “response”. This responsesignal is then transmitted from the transponder station 40 to the basestation 10 via the down-link frame 24.

The base station 10 then compares the response, using an identicalcrypto-algorithm and an identical secret key. If identity is found, thebase station 10 causes the door lock of the motor vehicle to open, i.e.only if, generally by using cryptographic methods, the authenticationprocess recognizes the transponder station 40 as valid is, in theembodiment given as an example, the door lock of the motor vehicleopened.

If, however, this circuit arrangement is operated in the form shown inFIGS. 1A and 1B without any other added technical provisions, there is adanger that an external attacker, who is attempting to open the door ofthe vehicle without being authorized to do so, may carry out a so-called“relay attack”, as described below, using relatively little in the wayof technical resources.

Shown diagrammatically in FIGS. 2A and 2B is an arrangement for carryingout a relay attack of this kind. For this purpose, there is introducedinto the configuration shown in FIGS. 1A and 1B an “attacker kit” in theform of an additional transmission link 30 that comprises a first relay32 in the form of an emulator for the transponder station, a secondrelay 36 in the form of an emulator for the base station, and acommunications link 35 between the first relay 32 and the second relay36.

In this connection, the communications link 35 between the first relay32 and the second relay 36 may take the form of at least onebi-directional transmission channel of any desired type that allowsthere to be a random distance between the first relay 32 and the secondrelay 36.

To allow inductive coupling to the antenna unit 16 of the base station10, the first relay 32 in the form of the transponder station emulatoris fitted with an associated antenna unit 34 in the form of a coil;similarly, the second relay 36 in the form of the base station emulatoris fitted with an associated antenna unit 38 in the form of a coil forinductive coupling to an antenna unit 44 in coil form of the transponderstation 40.

One attacker then takes up position in the immediate vicinity of themotor vehicle with the first relay 32. A second attacker positionshimself sufficiently close to the valid transponder station 40 with thesecond relay 36. Triggered by, for example, the operation of a doorhandle of the motor vehicle or of a pushbutton on a door of the motorvehicle, the base station 10 in the motor vehicle transmits itschallenge to the first relay 32 by means of the original, i.e.unemulated, up-link frame 22.

From this first relay 32, the challenge is passed on via theabove-mentioned communications link 35 to the second relay 36. Thesecond relay 36 emulates the up-link 22 and in this way passes on thechallenge to the valid transponder station 40 by means of the antennaunit 38 in coil form. Once the response has been calculated in the validtransponder station 40, this transponder station 40 responds to thesecond relay 36 by transmitting this response by means of the original,i.e. non-emulated down-link frame 24.

From this second relay 36, the response is passed on via theabove-mentioned communications link 35 to the first relay 32. The firstrelay 32 emulates the down-link frame 24 and in this way passes on theresponse to the valid base station 10 in the motor vehicle by means ofthe antenna unit 34 in coil form.

Because the response was produced by the authentic transponder station40 on the basis of the authentic challenge from the base station 10using the correct crypto-algorithm and the correct key, the response isrecognized as valid and the door of the motor vehicle opens, even thoughthe authorized and rightful user does not want this.

In view of the fact that more stringent demands are being made nowadayson the operation and security of certain components, precisely in, forexample, the area of automobiles and the area of access, theconfiguration shown in FIGS. 1A and 1B, which can be sabotaged by themeasures shown in FIGS. 2A and 2B, appears not to be sufficientlysecure.

Accordingly, certain proposals for detecting and guarding against relayattacks of this kind have already been made in the past. In printedpublication EP 1 136 955 A2 for example, there is disclosed anarrangement for an access-safeguarding system (a P[assiveK[eyless]E[ntry] system) by means of which the relative orientation ofthe base station 10 and the transponder station 40 to one another can becalculated.

Under another proposal, to allow such relay attacks to be detected andguarded against, the time between the challenge and the response isdetermined to enable an additional delay due to the delays caused by theelectronics of the relays and to the additional transit time of thesignals between the relay stations to be detected in this way (thetransit-time measurement method).

However, it is virtually impossible for a relay attack to be detected bythe signal transit-time measurement method in a current transpondersystem having a carrier frequency of 125 kilohertz, because thestringent requirements for accuracy in the measurement of time canhardly be met in practice, the main reasons for which are tolerances inthe filters used and temperature problems.

So, to enable a relay attack to be safely and reliably detected bytransit-time measurement, very stringent demands have to be made on theaccuracy with which time is measured. Shown in FIG. 3 in schematic formis the principle of a measurement of signal transit-time of this kind,for detecting a relay attack as shown in FIGS. 2A and 2B, such as wouldbe used in the case of the prior art embodiment shown in FIGS. 1A and1B. The total signal transit-time works out as follows in this case:t _(total) =t _(TXD1) +t _(s) +t _(RXD2) +t _(CARD) +t _(TXD2) +t _(s)+t _(RXD1)

A criterion for the occurrence of a relay attack is therefore that, dueto the additional relay link, the distance s between the base station 10and the transponder station 40 exceeds a given maximum permitteddistance s_(max). To allow a relay attack to be detected, this distances, which can be calculated from the transit time t, of the signals 22,24 and the known speed of propagation of the signals 22, 24 using theformula s=v_(s)·t_(s), has to be determined as accurately as possible.

However, it has to be remembered that in the case of a signaltransit-time measurement as in FIG. 3, the additional delays t_(TXD1),t_(RXD2), t_(CARD), t_(TXD2) and t_(RXD1) are added to the signaltransit time t_(s) that is wanted. For the distance s between the basestation 10 and the transponder station 40 to be accurately determined,and hence too for a sufficiently short maximum permitted distances_(max) (with no great safety reserve) to be selected, these additionalcomponents of the signal transit time need to be known, or need to bedetermined with sufficient accuracy.

Another thing that needs to be borne in mind in this case is that in apractical system to be produced in large numbers at low cost,considerable tolerances Δt_(TXD1), Δt_(TXD2), Δt_(RXD1) and Δt_(RXD2)can be expected on the signal transit times due to the electronics ofthe base station 10 and/or of the transponder station 40. Thesetolerances are due to the effects of ageing, to scatter among thecomponents used and to the effects of temperature. Unless additionalsteps are taken, these tolerances too have to be allowed for whendetermining the threshold value s_(max).

On the basis of the disadvantages and deficiencies described above andwith due acknowledgement of the prior art outlined, it is an object ofthe present invention to further develop an electronic communicationsystem of the kind described at the beginning, and a method of detectingand/or guarding against at least one external attack, and preferably atleast one relay attack, on at least one electronic communication systemof the kind described at the beginning, in such a way that the attack isat least made considerably more difficult and if possible is completelyguarded against and prevented.

This object is achieved by an electronic communication system having thefeatures specified in claim 1 and by a method having the featuresspecified in claim 7. Advantageous embodiments and useful refinements ofthe present invention are characterized in the respective sets ofdependent claims.

Under the teaching of the present invention

-   -   there is arranged in the base station at least one first        adjustable delay element for setting a defined, and in        particular substantially constant, signal transit time t₁ within        the base station and/or    -   there is arranged in the transponder station at least one second        adjustable delay element for setting a defined, and in        particular substantially constant, signal transit time t₂ within        the transponder station.        An additional, adjustable signal propagation delay is thus        introduced, in accordance with the invention, into the        transmission chain.

By means of the first adjustable delay element and by means of thesecond adjustable delay element, the signal transit time ti within thebase station and the signal transit time t₂ with the transponder stationcan be respectively set, which means that the attack is detected if thesum of the signal transit time t₁ within the base station, the signaltransit time t₂ within the transponder station, and twice the signaltransit time t_(s) of the data signals between the base station and thetransponder station exceeds a defined threshold value t_(s, max).

Hence, the basic idea behind the present invention is to compensate forthe signal transit times of the transmitting and receiving units ofP[assive K[eyless]E[ntry] systems, suitable technical steps being taken(=arrangement of at least one first adjustable delay element for settinga defined, and in particular substantially constant, signal transit timet₁ within the base station and/or arrangement of at least one secondadjustable delay element for setting a defined, and in particularsubstantially constant, signal transit time t₂ within the transponderstation) to ensure as constant as possible a signal propagation delayfor the transmitting and receiving sub-assemblies both at the basestation end, e.g. on or in the vehicle to be secured, and at thetransponder end, on or in the PKE data carrier (the PKE card).

By suitable regulation and setting of the particular delays t_(D1) andt_(D2) within the base station and transponder station respectively bymeans of the respective additional delay elements, improved conditionsare obtained for detecting and/or guarding against relay attacks, asshown by the following equations:t ₁ =t _(RXD1) +t _(D1) +t _(TXD1)=substantially constant,t ₂ =t _(RXD2) +t _(D2) +t _(CARD) +t _(TXD2)=substantially constant.

A relay attack is therefore taking place if the following thresholdvalue condition is met:t _(s,max) <t ₁ +t ₂+2 t _(s) =t _(RXD1) +t _(D1) +t _(TXD1) +t _(RXD2)+t _(D2) +t _(CARD) +t _(TXD2)+2 t _(s).

In a practical implementation, a comparison may therefore advantageouslybe made with a fixed threshold t_(s,max), once the latter has beendefined, in which case allowance will advantageously have been made forthe dependences of the signal transit times on the system tolerancesDt_(TXD1), Dt_(TXD2), Dt_(RXD1) and Dt_(RXD2).

In a particularly inventive refinement of the present electroniccommunication system and of the method of detecting a relay attackthereon, provision may be made for optional temperature measurement, bymeans of which it is possible, by using the additional delay elements,to produce ensuing compensation for the temperature dependence with theaim of obtaining total delays t₁ within the base station and t₂ with thetransponder station which are each constant and, in particular,non-temperature-dependent.

The (regulating) algorithm for implementing the method according to thepresent invention may preferably be executed even during a communicationbetween the base station and transponder station, to prevent an externalattack on the regulating algorithm by detection of the attacking relays.In this case, the relays have to pass on the data if the protocol is notto be injured.

In an advantageous embodiment of the present invention, the regulatingalgorithm for producing the signal transit times t1 and t2 may beexecuted by any desired method, such as, for example, the countingmethod or the successive approximation method.

The delay element, which is preferably multistage and preferablyswitchable, may usefully comprise suitable components of any desiredkinds such as, say,

-   -   at least one digital gate subject to a known signal transit time        and/or    -   at least one filter and/or    -   at least one clocked shift register.

The man skilled in the art of communications electronics, such as, forexample, an electrical engineer having detailed knowledge in the fieldof security systems, will be particularly appreciative of the fact thatthe present invention assists in the production of a P[assiveK[eyless]E[ntry] system that is highly resistant to external attack,i.e. by an exact measurement of time it makes so-called “relay attack”very much more difficult. In line with this, it becomes possible for anadditional exact measurement of time for detecting a relay attack withincreased reliability to be implemented in a manner suitable forpractical application.

For the practical implementation of the measurement of time, acomparison of the total signal transit time measured may advantageouslybe made, with great accuracy, with a fixed threshold t_(s,max) subjectto tight tolerances, in which case inexpensive modes of implementationthat are possible make the electronic communication system and theassociated method highly attractive for use in mass production.

The present invention, which extends both to at least one base stationof the kind described above and to at least one transponder station ofthe kind described above, may advantageously also be used in systemsthat are widely employed in the field of so-called “immobilizer” systemsfor means of transport and particularly motor vehicles.

Another area of application for the present invention is in the field ofbuilding security, because the electronic communication system, with itsbase station and also with its transponder station, is also superblywell suited to the production of secure access systems based ontransponders, and particularly on data carriers such as, say, chip cardsor P[assive K[eyless]E[ntry] cards.

Hence, the base station may be arranged on or in an object or buildingthat is to be secured against unauthorized use and/or againstunauthorized access, such as on or in a means of transport, say, or onor on an access system.

As has already been discussed above, there are various possible ways inwhich the teaching of the present invention may advantageously beembodied and refined. These and other aspects of the invention areapparent from and will be elucidated with reference to the embodimentsdescribed hereinafter.

In the drawings:

FIG. 1A is a schematic view showing the principle of communication,based on inductive coupling, between a base station and an associatedtransponder station as in a prior art embodiment.

FIG. 1B is the equivalent electrical circuit diagram of the principle ofcommunication shown in FIG. 1A.

FIG. 2A is a schematic representation of a so-called “relay attack” onthe prior art embodiment shown in FIGS. 1A and 1B.

FIG. 2B is the equivalent electrical circuit diagram of the relay attackshown in FIG. 2A.

FIG. 3 is a schematic representation of the principle on which signaltransit time is measured to allow the relay attack shown in FIGS. 2A and2B to be detected, in the case of the prior art embodiment shown inFIGS. 1A and 1B.

FIG. 4 is a schematic representation of the principle of measurementaccording to the present invention for detecting the relay attack shownin FIGS. 2A and 2B, which principle is based on the production ofconstant signal transit times, in an embodiment according to the presentinvention, and

FIG. 5 is a schematic representation of the measures according to thepresent invention for regulating the delay to signal propagation withinthe base station and/or within the transponder station to constantsignal transit time values as in FIG. 4.

Arrangement, elements or features that are the same or similar in FIGS.1A to 5 are given the same reference numerals.

As is shown in FIG. 4 by an embodiment, what is implemented by means ofthe present invention is an electronic communication system 100 thathas, amongst other things, a transponder system (=transponder station 40in the form of a data carrier, namely a P[assive K[eyless]E[ntry] card),which in turn is part of a system for opening and closing the door locksof a motor vehicle.

The PKE card 40 has a receiver unit 49 a having a signal transit timet_(RXD2), the receiver unit 49 a being connected to an antenna unit 44 aand being used to receive data signals 22 from a base station 10. ThePKE card 40 also has a transmitter unit 49 b having a signal transittime t_(TXD2), the transmitter unit 49 b being connected to an antennaunit 44 b and being used to transmit data signals 24 to the base station10. Connected downstream of the receiver unit 49 a and upstream of thetransmitter unit 49 b is a control unit 42 (→signal transit timet_(CARD)) in the form of a microcontroller unit that is provided tocontrol the PKE card 40.

A base station 10 that is also shown in FIG. 4 has a receiver unit 19 bhaving a signal transit time t_(RXD1), the receiver unit 19 b beingconnected to an antenna unit 16 b and being used to receive data signals24 from a PKE card 40. The base station 10 also has a transmitter unit19 a having a signal transit time t_(TXD1), the transmitter unit 19 abeing connected to an antenna unit 16 a and being used to transmit theabove-mentioned data signals 22 to the PKE card 40. Connected downstreamof the receiver unit 19 b and upstream of the transmitter unit 19 a is acontrol unit 12 in the form of a microcontroller unit that is providedto control the base station 10.

When the PKE card 40 is in the active state (see FIG. 4), acommunication sequence intended for authentication purposes takes placein the form of an exchange of data between the base station 10 and thePKE card 40, for which purpose data signals 22, 24 are exchanged betweenthe base station 10 and the transponder station 40; by means of thesedata signals 22, 24, not only can authorization to use and/or access themotor vehicle be determined but the base station 10 can also becontrolled in the appropriate way. In the case of P[assiveK[eyless]E[ntry] which is being described here, the power supply maypreferably be supplied by at least one battery unit.

In detail, what exist as signal transmission links between the basestation 10 and the PKE card 40 are a so-called “up-link frame” 22 thatis formed by, for example, at least one inductively coupledL[ow]F[requency] channel and via which signals are transmitted from thebase station 10 to the PKE card 40, and a so-called “down-link frame” 24that is formed by, for example, at least one U[ltra]H[igh]F[requency]channel and via which signals are transmitted from the PKE card 40 tothe base station 10.

However, it is also within the scope of the present invention for boththe up-link frame 22 and the down-link frame 24 each to be formed by atleast one L[ow]F[requency] channel in the embodiment shown in FIGS. 4and 5. As an alternative to this, it is in turn also possible for boththe up-link frame 22 and the down-link frame 24 each to be formed by atleast one U[Itra]H[igh]F[requency] channel.

Once the door lock, for example, of the motor vehicle has been operated,the base station 10 that is functionally and spatially associated withthe motor vehicle begins to generate a signal referred to as a“challenge”, which is transmitted to the PKE card 40 via the up-linkframe 22. An electronic circuit arrangement in the PKE card 40 that ispreferably arranged to have at least one microprocessor then calculatesfrom the challenge, using a cryptographic algorithm and a secret key, asignal sequence that is referred to as a “response”. This responsesignal is then transmitted from the PKE card 40 via the down-link frame24 to the base station 10.

The base station 10 then compares the response, using an identicalcrypto-algorithm and an identical secret key; if identity is found, thebase station 10 then causes the motor vehicle's door lock to be opened,or in other words, only if the authentication recognizes the PKE card 40as valid, generally by the use of cryptographic methods, is the doorlock of the motor vehicle opened in the embodiment cited.

In order now to provide resistance to relay attacks of the kinddescribed by reference to FIGS. 2A and 2B, there is arranged in the basestation 10 a first delay element 17 that is connected downstream of thecontrol unit 12 and upstream of the transmitter unit 19 a and that isused to set a defined, substantially constant, signal transit time t₁within the base station 10. Similarly, there is arranged in the PKE card40 a second delay element 47 that is connected downstream of thereceiver unit 49 a and upstream of the control unit 42 and that is usedto set a defined, substantially constant, signal transit time t₂ withinthe PKE card 40.

An external relay attack is now detected if the sum of

-   -   the signal transit time t₁ within the base station 10,    -   the signal transit time t₂ within the PKE card 40, and    -   twice (⇄“out” signal 22 and “back” signal 24) the signal transit        time t_(s) between the base station 10 and the PKE card 40        exceeds a defined threshold value t_(s,max), that is to say if        the threshold value condition        t _(s,max) <t ₁ +t ₂+2t _(s) or        t _(s,max) <t _(RXD1) +t _(D1) +t _(TXD1) +t _(RXD2) +t _(D2) +t        _(CARD)+2t _(s)        is met, where    -   the signal transit time t₁ within the base station 10 is        composed, in essence, of    -   the signal transit time t_(RXD1) within the receiver unit 19 b    -   the delay in signal transit time t_(D1) caused by the first        delay element 17, and    -   the signal transit time t_(TXD1) within the transmitter unit 19        a and    -   the signal transit time t₂ within the PKE card 40 is composed,        in essence, of    -   the signal transit time t_(RXD2) within the receiver unit 49 a    -   the delay in signal transit time t_(D1) caused by the second        delay element 47    -   the signal transit time t_(CARD) with the control unit 42, and    -   the signal transit time t_(TXD2) within the transmitter unit 49        a and t_(s) is once the signal transit between the base station        10 and the PKE card 40 and 2t_(s) is therefore twice this signal        transit time.

To then enable this basic idea of the present invention to beimplemented, namely the use of a constant signal propagation delay t₁(→base station 10) or t₂ (→PKE card 40), that is defined once, for theelectronic sub-assemblies for transmitting and receiving the dataexchanged between the motor vehicle (→base station 10) and the P[assiveK[eyless]E[ntry] card 40, both the first delay element 17 within thebase station 10 and the second delay element 47 within the PKE card 40(see reference numerals 17 e and 47 e respectively) are arranged to beadjustable in four stages (see reference numerals 17 a, 17 b, 17 y, 17 zand 47 a, 47 b, 47 y, 47 z respectively) and switchable (see referencenumerals 17 s and 47 s respectively), in the form of, for example

-   -   at least one digital gate subject to a known signal transit time        and/or    -   at least one filter and/or    -   at least one clocked shift register.

To regulate the delay times t₁ and t₂ applicable to signal propagationto constant values, there are various technical implementations that areobvious possibilities. In what follows, a simple and inexpensiveimplementation employing regulation of the transit time will bedescribed by reference to the detailed representation in FIG. 5, firstby taking the base station 10 as an example:

A pulse to be transmitted from the base station 10 to the PKE card 40 isconveyed to the multistage (see reference numerals 17 a, 17 b, 17 y) andswitchable (see reference numeral 17 s) first delay element 17. Thedelayed pulse is then fed to the transmitter (=transmitter unit 19 a ofthe base station 10) and is received directly, i.e. with no relevantadditional delay in signal propagation, by the receiver (=receiver unit19 b of the base station 10). At the same time, the pulse is also fedthrough the entire delay line, i.e. through all four stages 17 a, 17 b,17 y, 17 z of the first delay element 17 (→delay time t₁).

A decision-maker (=first decision-making unit 18 of the base station 10)that is connected downstream of the fourth and last stage 17 z of thedelay element 17 and that is connected to the receiver unit 19 b signalsto the control unit 12 which of the two pulses (“delayed pulse” or“pulse fed through the entire delay line”) arrives at the firstdecision-making unit 18 first.

In conjunction with a regulating algorithm that is implemented in thecontrol unit 12, the switchable delay element 17 is set or corrected insuch a way that the two pulses arrive as near simultaneously aspossible; in this event, where the delayed pulse and the pulse that hasbeen fed through the entire delay line arrive substantiallysimultaneously, the desired constant total delay t₁ in signalpropagation is produced.

In what follows, an implementation employing regulation of the transittime will be described, also by reference to the detailed representationin FIG. 5, by taking the PKE card 40 as an example, which will show thatthe method described above for easily and inexpensively regulatingsignal transit times can be used in a similar or analogous fashion forcompensating for the signal transit times in the PKE card 40.

A pulse transmitted from the base station 10 to the PKE card 40 isconveyed to the multistage (see reference numerals 47 a, 47 b, 47 y) andswitchable (see reference numeral 47 s) second delay element 47. At thesame time, the pulse is also fed through the entire delay line, i.e.through all four stages 47 a, 47 b, 47 y, 47 z of the second delayelement 47 (→delay time t₂).

A decision-maker (=second decision-making unit 48 of the PKE card 40)that is connected downstream of the fourth and last stage 47 z of thedelay element 47 and that is connected to the transmitter unit 49 bsignals to the control unit 42 which of the two pulses (“delayed pulse”or “pulse fed through the entire delay line”) arrives at the seconddecision-making unit 48 first.

In conjunction with a regulating algorithm that is implemented in thecontrol unit 42, the switchable delay element 47 is set or corrected insuch a way that the two pulses arrive as near simultaneously aspossible; in this event, where the delayed pulse and the pulse that hasbeen fed through the entire delay line arrive substantiallysimultaneously, the desired constant total delay t₂ in signalpropagation is produced.

So, what can be said as a result is that compensation for the toleranceson the signal transit times of transmitter and receiver units isobtained by means of the electronic communication system 100 shown inFIGS. 4 and 5 and by means of the method associated with thiscommunication system 100, which compensation may advantageously beemployed in P[assive K[eyless]E[ntry] systems or in similarconfigurations. In such systems, the present invention implements a formof transit time measurement by means of which a potential externalattack in the form of a so-called relay attack can be detected and/orguarded against.

In this case, both the electronic communication system 100 described andthe method described constitute a flexible, cost-efficient, novel andinventive extension of signal transit time measurements which werepossible in the prior art, to enable these latter to be used even underpractical conditions. The accuracy and reliability of the principle oftime measurement (see the time measuring unit 50 in FIG. 4) areincreased in this case.

In this connection, typical incidental conditions that made it difficultfor signal transit time measurement to be used in the past are overcomein accordance with the invention, such as, say

-   -   scatters in the signal transit times within the transmitter and        receiver due to tolerances on the components    -   changes in the signal transit times within the transmitter and        receiver due to the effects of temperature and to ageing, and/or    -   the pressure of costs when used in mass production.

The present invention may with advantage be used in PassiveK[eyless]E[ntry] systems, which are being used to an increasing degreein the field of access systems for motor vehicles. What is more, theelectronic communication system 100 described and the method describedare also suitable for producing secure access systems based on chipcards 40 in the field of building security, in which case thearrangement described that is shown in FIGS. 4 and 5 may also be used ina similar way to guard against relay attacks on access/entry systems.

LIST OF REFERENCE NUMERALS

-   100 Electronic communication system-   10 Base station-   11 First resistor of base station 10-   12 Control unit, in particular microcontroller unit, of base station    10-   13 Capacitive unit of base station 10-   14 Analog interface of base station 10-   15 Second resistor of base station 10-   16 Antenna unit of base station 10-   16 a Antenna unit of base station 10 associated with transmitter    unit 19 a-   16 b Antenna unit of base station 10 associated with receiver unit    19 b-   17 First delay element of base station 10-   17 a First stage of first delay element 17-   17 b Second stage of first delay element 17-   17 e Setting facility of first delay element 17-   17 s Switching facility of first delay element 17-   17 y Stage before last of first delay element 17-   17 z Last stage of first delay element 17-   18 First decision-making unit of base station 10-   19 a Transmitter unit of base station 10-   19 b Receiver unit of base station 10-   22 Up-link frame-   23 Up-link frame emulation-   24 Down-link frame-   25 Down-link frame emulation-   30 Additional transmission link-   32 First relay forming an emulator for the transponder station 40-   34 Antenna unit of first relay 32-   35 Communications link between first relay 32 and second relay 36-   36 Second relay forming an emulator for the base station 10-   38 Antenna unit of second relay 36-   40 Transponder station, in particular a data carrier and    specifically a P[assive K[eyless]E[ntry] card-   42 Circuit arrangement or control unit, in particular    microcontroller unit, of transponder station 40-   44 Antenna unit of transponder station 40-   44 a Antenna unit of transponder station 40 associated with receiver    unit 49 a-   44 b Antenna unit of transponder station 40 associated with    transmitter unit 49 b-   47 Second delay element of transponder station 40-   47 a First stage of second delay element 47-   47 b Second stage of second delay element 47-   47 e Setting facility of second delay element 47-   47 s Switching facility of second delay element 47-   47 y Stage before last of second delay element 47-   47 z Last stage of second delay element 47-   48 Second decision-making unit of transponder station 40-   49 a Receiver unit of base station 40-   49 b Transmitter unit of base station 40-   50 Time measurement facility-   s Distance between base station 10 and transponder station 40-   t₁ Signal transit time within base station 10-   t₂ Signal transit time with transponder station 40-   t_(CARD) Signal transit time in control unit 42 of transponder    station 40-   t_(D1) Delay in transit time within first delay element 17 of base    station 10-   t_(D2) Delay in transit time within second delay element 47 of    transponder station 40-   t_(RXD1) Signal transit time in receiver unit 19 b of base station    10-   Δt_(RXD1) Tolerance on signal transit time in receiver unit 19 b of    base station 10-   t_(RXD2) Signal transit time in receiver unit 49 a of transponder    station 40-   Δt_(RXD2) Tolerance on signal transit time in receiver unit 49 a of    transponder station 40-   t_(s) Signal transit time between base station 10 and transponder    station 40-   t_(total) Total signal transit time in the electronic communication    system 100-   t_(TXD1) Signal transit time in transmitter unit 19 a of base    station 10-   Δt_(TXD1) Tolerance on signal transit time in transmitter unit 19 a    of base station 10-   t_(TXD2) Signal transit time in transmitter unit 49 b of transponder    station 40-   Δt_(TXD2) Tolerance on signal transit time in transmitter unit 49 b    of transponder station 40-   V_(s) Speed of signal propagation between base station 10 and    transponder station 40

1. An electronic communication system, having at least one base stationhaving at least one antenna unit, in particular in coil form, which basestation is arranged in particular on or in an object to be securedagainst unauthorized use and/or against unauthorized access, such as onor in, say, a means of transport or on or in an access system, and atleast one transponder station, in particular in data-carrier form,having at least one antenna unit, in particular in coil form, whichtransponder station may in particular be carried with him by anauthorized user and/or is designed to exchange data signals with thebase station, in which case, by means of the data signals theauthorization for use and/or access can be determined and/or the basestation can be controlled accordingly, characterized in that there isarranged in the base station at least one first delay element forsetting a defined, and in particular substantially constant, signaltransit time within the base station and/or there is arranged in thetransponder station at least one second delay element for setting adefined, and in particular substantially constant, signal transit timewithin the transponder station.
 2. A communication system as claimed inclaim 1, characterized in that the first delay element and/or the seconddelay element are/is arranged to be settable, multistage, and switchableand have/has at least one digital gate subject to a known signal transittime and/or at least one filter and/or at least one clocked shiftregister.
 3. A communication system as claimed in claim 1, characterizedin that there is connected downstream of the last stage of the firstdelay element at least one first decision-making unit that is connectedto at least one control unit of the base station and/or to at least onereceiver unit of the base station and/or there is connected downstreamof the last stage of the second delay element at least one seconddecision-making unit that is connected to at least one control unit ofthe transponder station and/or to at least one receiver unit of thetransponder station.
 4. A base station for an electronic communicationsystem as claimed in claim 1, characterized by at least one receiverunit for receiving the data signals from the transponder station, whichreceiver unit is connected to the antenna unit associated with the basestation, at least one control unit, in particular a microcontrollerunit, for controlling the base station, which control unit is connectedto the receiver unit and is preferably connected upstream of the firstdelay element, the at least one first delay element for setting thedefined, and in particular substantially constant, signal transit timewithin the base station, and at least one transmitter unit fortransmitting the data signals to the transponder station, whichtransmitter unit is connected to the antenna unit associated with thebase station and is preferably connected downstream of the first delayelement.
 5. A transponder station for an electronic communication systemas claimed in claim 1 characterized by at least one receiver unit forreceiving the data signals from the base station, which receiver unit isconnected to the antenna unit associated with the transponder stationand is preferably connected upstream of the second delay element, the atleast one second delay element for setting the defined, and inparticular substantially constant, signal transit time within thetransponder station, at least one control unit, in particular amicrocontroller unit, for controlling the transponder station, whichcontrol unit is preferably connected downstream of the second delayelement, and at least one transmitter unit for transmitting the datasignals to the base station, which transmitter unit is connected to theantenna unit associated with the transponder station and is preferablyconnected downstream of the control unit.
 6. A transponder station asclaimed in claim 5, characterized in that the transponder station isarranged in at least one data carrier, and in particular in at least onecard, and specifically in at least one chip card.
 7. A method ofdetecting and/or guarding against at least one, in particular external,attack, and preferably at least one relay attack, on at least oneelectronic communication system as defined in the preamble to claim 1,characterized in that there are/is set within the base station, adefined, and in particular substantially constant, signal transit timeand/or within the transponder station, a defined, and in particularsubstantially constant, signal transit time, thus enabling the attack tobe detected if the sum of the signal transit time within the basestation, the signal transit time within the transponder station andtwice the signal transit time of the data signals between the basestation and the transponder station exceeds a defined threshold value.8. A method as claimed in claim 7, characterized in that [a.1] a pulsethat forms at least part of the data signal to be transmitted to thetransponder station is conveyed within the base station to at least onefirst delay element, [a.2] the pulse, having been delayed by the firstdelay element, is then fed to at least one transmitter unit associatedwith the base station and is received directly, i.e. with no relevantadditional delay, by at least one receiver unit associated with the basestation, [b] the pulse that forms at least part of the data signal to betransmitted to the transponder station is fed through the entire firstdelay element substantially at the same time, [c] at least one firstdecision-making unit that is connected downstream of the last stage ofthe first delay element signals to at least one control unit of the basestation whether it is the delayed pulse (see method step [a.2]) or thepulse fed through the entire first delay element (see method step [b])that arrives at the first decision-making unit first, and [d] the firstdelay element is so set or switched or corrected that the delayed pulse(see method step [a.2]) and the pulse fed through the entire first delayelement (see method step [b]) arrive as nearly simultaneously aspossible.
 9. A method as claimed in claim 7, characterized in that [e] apulse that forms at least part of the data signal received from the basestation is conveyed within the transponder station to at least onesecond delay element, [f] the pulse that forms at least part of the datasignal received from the base station is also fed through the entiresecond delay element substantially at the same time, [c] at least onesecond decision-making unit that is connected downstream of the laststage of the second delay element signals to at least one control unitof the transponder station whether it is the delayed pulse (see methodstep [e]) or the pulse fed through the entire second delay element (seemethod step [f]) that arrives at the second decision-making unit first,and [d] the second delay element is so set or switched or corrected thatthe delayed pulse (see method step [e]) and the pulse fed through theentire second delay element (see method step [f]) arrive as nearlysimultaneously as possible.
 10. Use of at least one electroniccommunication system as claimed in claim 1, and in particular of atleast one transponder station as claimed in claim 5, for authenticatingand/or for identifying and/or for checking the authority to use, enteror the like an object to be secured by means of the communicationsystem, such as, say, a means of transport or an access system.